I traced this error with gdb.
12 is coming from the openssl call SSL_get_verify_result, the openssl verify docs say that is:
12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired
openssl crl -in tests/certs/ca-0-crl.pem -text
shows this:
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=UK/O=Collabora/OU=Wocky Test Suite/ST=Confused/CN=Wocky XMPP Library
Last Update: May 10 16:43:50 2012 GMT
Next Update: May 10 16:43:50 2013 GMT
CRL extensions:
I'm trying to figure out how to adjust the openssl config files in tests/certs to work with the current openssl, as its pretty clear the fix is to generate an updated CRL.

I figured out how to update the CRL. Attached patch includes a CRL updated for 5 years and reminder to how to update it in the future. Perhaps the perfect patch would either include a test for the CRL being expired in the future or a build target to update the CRL.

Created attachment 120991[details][review]
Update CRL including keeping the revoked certificate.
In my first attempt to fix this I didn't realize that the CRL included a revoked certificate, so after my update a different set of tests would fail.
In my second attempt I updated the CRL, improved the documentation about how to upate the CRL, and replaced the second copy of the CRL in the tests/certs/crl/ directory with a symlink -- because its easier to remember to update one copy than two.

(In reply to diane from comment #10)
> Created attachment 123020[details]
> Final version of fix
Looks good to me.
The commit message seems to repeat some information, though:
"Additionally update the example crl update command line." -> this is already mentioned above, isn't it? "...how to update the CRL when it expires"

Btw, this never happened with gnutls. This reveals the interesting fact that gnutls does not check the CRL expiry date...
Also, it looks like you committed a CRL which is only for 1 year. Maybe you updated the template afterwards?
Last Update: Jan 12 05:46:37 2016 GMT
Next Update: Jan 11 05:46:37 2017 GMT
I have regenerated it now to last until 2021.